Thankyou very much, this is exactly what I needed to understand i.e. the flow and this document is really very helpful.

Now as per the document in step 3 i.e The message reaches the corporate firewall, where it passes through port 3101 to the BlackBerry Enterprise Server. - For this to work, I need to open port 3101 inbound also in the firewall from the RIM network to the BES server right ?

If yes, then do I need to assign a public IP to BES server and have a rule like
From RIMS Network to BES Public -allow port 3101 ?

Pls let me know which would be ideal from security point of view and functional for BES.

Second question is in step 4 i.e. The BlackBerry Enterprise Server decrypts the message, decompresses it, and routes it to the messaging server. - In this flow are there any chances of a spam or virus attack where a blackberry device i.e source can be spoofed or something of that sort ? or the PIN number of a blackberry device is unique using which we register a device to BES express Server and cannot be altered in anyway, the main reason being the BES will be routing mail to exchange directly and not via the email security appliance if I understood it right?